A new phishing campaign targeting users of Microsoft Outlook email service is being used on a wide scale, warned cybersecurity researchers at Zscaler ThreatLabz in a report. As per ThreatLabz, the main targets of this campaign are the corporate users of Microsoft’s email services.
According to the report, the new phishing kit uses an adversary-in-the-middle (AiTM) model, which could help evade detection by network security and email protection. The AiTM model may also allow the phishing attack to bypass multi-factor authentication protections.
These phishing attacks begin with emails with malicious links being sent to the targeted individuals. In some cases, the business emails of executives are compromised first and then used to target several individuals.
“Based on our cloud data telemetry, the majority of the targeted organizations were in the FinTech, Lending, Finance, Insurance, Accounting, Energy and Federal Credit Union industries. This is not an exhaustive list of industry verticals targeted. A majority of the targeted organizations were located in the United States, United Kingdom, New Zealand, and Australia.”, said the report.
The report also lays out some “interesting domain name patterns” which are as follows:
Legit Federal Credit Union domain name: crossvalleyfcu[.]org
Attacker-registered domain name: crossvalleyfcv[.]org
Legit Federal Credit Union domain name:triboro-fcu[.]org
Attacker-registered domain name: triboro-fcv[.]org
Legit Federal Credit Union domain name: cityfederalcu[.]com
Attacker-registered domain name: cityfederalcv[.]com
Legit Federal Credit Union domain name: portconnfcu[.]com
Attacker-registered domain name: portconnfcuu[.]com
Legit Federal Credit Union domain name: oufcu[.]com
Attacker-registered domain name: oufcv[.]com
Keywords related to “password reset” and “password expiry”
As per the report, some of the domain names used keywords related to “password reset” and “password expiry” reminders. It may be the case that the theme of the corresponding phishing emails was also related to such keywords
The report stresses that there are several other domains involved in this active campaign, and not all of them follow a certain pattern.